Today’s vehicles are undeniably complex, and engineers are struggling to ensure each vehicle's security keeps up with new features.
Forescout estimates that "software in modern cars exceeds 100 million lines of code" — 15 times greater than in avionics software. That means that hackers have numerous points of entry, whether it’s through mobile apps, cell phone networks, internet access, the vehicle’s Controller Area Network (CAN) bus, or even the onboard diagnostics port.
"Today’s vehicles are undeniably complex, and engineers are struggling to ensure each vehicle's security keeps up with new features."
A 2019 Synopsys and SAE study showed that 84% of surveyed automotive professionals worry their current cybersecurity programs aren't keeping up with the technology they support. Worse, nearly a third reported they didn't have a relevant cybersecurity program or team to address that concern.
With consumers anticipating new hardware, software, and content to keep them entertained and informed during a ride, it’s difficult for developers to juggle a growing number of priorities — and to create effective solutions in this complex environment.
This piece digs into the specific, evolving risks that automotive professionals face and offers three concrete strategies to avoid them.
Car Hacking: A Growing Target
For decades, radio and human conversation were enough to entertain drivers. Today, we expect to remain connected regardless of location and with increasingly long commutes. Modern cars are equipped with in-vehicle infotainment (IVI) systems and navigation systems accessing a range of third-party apps and even in-car internet and WiFi access. This affords a far greater surface area for breaches.
Disrupting someone's entertainment might be annoying, but if hackers exploit that entry point to access the brakes or steering, the consequences can be dire.
This isn’t just a possibility, recently a hacker broke into two GPS tracking apps (ProTrack and iTrack), gaining access to personal data, the ability to monitor vehicle location in realtime and stop their engines. Because all the customers had been assigned 123456 as a default password, the hacker known as “L&M” told Motherboard that he was able to brute-force “millions of usernames” through the apps’ APIs. Although “L&M” was after a reward, plus raising awareness of the vulnerability, Motherboard confirmed that he could have caused traffic jams (and presumably accidents) in multiple countries with a single touch.
"Disrupting someone's entertainment might be annoying, but if hackers exploit that entry point to access the brakes or steering, the consequences can be dire."
In another case, as the result of poorly implemented authentication on the API, a security researcher was able to hack into Nissan Leaf's companion app, NissanConnect, and remotely control climate settings, drain the car’s battery, and spy on data from recent journeys.
Users are familiar with the need to lock their doors or hide their valuables, but they're less familiar with the cybersecurity tools their cars now require. This presents an opportunity for engineers and CTOs to differentiate their products by providing security users can trust.
Improving Cybersecurity in a Constantly Evolving Industry
There's no one-size-fits-all solution, but changes in key areas can improve user safety.
1. Implement threat detection.
The sooner you’re alerted to a threat or suspicious activity, the better equipped you are to react.
This speaks to the importance of having a strong intrusion-detection system in place. Auth0 offers anomaly detection, which offers both brute-force detection and breached-password detection that could have helped protect ProTrack and iTrack customers from L&M's hacking efforts.
With Auth0, admins can easily set preferences for anomaly detection within their Dashboard. You'll quickly pick up on suspicious activity within your system, instantly receive alerts, and set controls for blocking malicious access attempts.
The introduction of IVIs, browsers, and Internet access all widen a vehicle's attack surface, giving hackers more ways in and more ways to hide their attacks.
Hackers won't leave behind a shattered window and an empty console. Without a system for quickly seeing threats, they can stay hidden, data can remain exposed, and PR disasters can mount. If you don't catch flaws early, similar vehicles could remain similarly vulnerable.
2. Create simpler, more secure logins.
Many current cars already come equipped with remote start, but the range of features users can control from a distance will only increase as cars become more connected.
The more users can do remotely, the more hackers can do if they can gain access. A remote interface with easily stolen credentials presents a dangerous vulnerability.
With $22 worth of equipment, researchers in Beijing were able to surreptitiously extend the effective range of a key fob, convincing a car they were close together. By spoofing the key's signal, they were able to access the vehicle without the driver knowing. Even the Tesla Model S, supported by an extensive security team and encrypted keys, yielded control to security researchers using cloned key fobs.
In the case of the hacked Nissan Leaf, the security researcher simply took control of the car’s functions with only the VIN from the windshield.
Automotive companies and third-party tech providers that offer apps and online access portals can protect their customers with more stringent authentication measures. Features like multifactor authentication (MFA) and biometrics can help secure that access — and block hackers looking for a quick way in.
With multi-factor authentication, for example, a user needs more than their name and password to log in. Access requires an additional credential, such as a voice snippet, thumbprint, or mobile device. Auth0 Guardian streamlines authentication across devices, which secures your systems while maintaining a positive user experience.
Auth0 Guardian makes multi-factor authentication simple by removing the need for one-time codes. Instead, administrators download the app and approve login requests with the tap of a button. When you're dealing with a high volume of login requests, Guardian makes the process more efficient, so you can focus on developing and distributing new features.
It's critical to confirm user identities at login, in addition to monitoring their behavior once they have access. Without this layer of protection, it's easier for dishonest users to enter a system and wreak havoc.
3. Make sure your security solution is extensible.
Vehicles, like mobile devices, risk exposure as they travel, connect, and re-connect.
Some users want to connect phones, tablets, and computers to their cars' interfaces—further expanding entry points. They might also want to connect their cars to local WiFi networks when they park at restaurants, campgrounds, or gas stations. Some cars even offer built-in WiFi hotspots. Security demands shift not only with new features, but with new ways and places to use those features.
As your company and user base evolve, it's important to have infrastructure that can adapt.
To be able to keep up in an industry as dynamic as automotive, your systems for threat detection, authentication, and identity management must be flexible enough to support your shifting business goals. Your technology should enable your success, not hinder your progress.
An outsourced identity provider can take the burden of keeping pace with evolving standards and threats off your shoulders. When your IT team is busy with daily operations, it can be difficult to create systems that meet your current requirements and are also able to transform based on future priorities.
Auth0 offers its partners 100+ pre-built Rules and Extensions (along with the ability to write original code) that allow you to tailor your user management systems as your needs change.
Rules can enrich user profiles, notify other systems via an API when a specific login occurs, deny access to a white-list of users, and more. For a full list, see here.
Driving Forward: Work with Systems That Can Get Ahead of Evolving Threats
The OAuth Device Flow is an emerging standard for securing cloud APIs that devices like in-car systems reach out to directly. This flow is being used to authenticate people in the living room, sitting on a couch in front of the TV, when accessing their favorite streaming services. OAuth Device Flow also lets us streamline authentication for any device that has input constraints, such as having no built-in browser or keyboard, like a car’s onboard infotainment system.
As more automotive systems expose APIs for remote access, it will be critical that these entry points be protected with modern authentication features, including threat detection and multi-factor authentication. These features offer proven benefits when implemented in web-based applications. How can in-car systems, with no browser and limited input capabilities, take advantage of these features? Device Flow provides a standard mechanism for extending browser-based authentication to input-constrained devices, allowing users to sign in to their accounts via a secondary device, such as a smartphone. This offers a secure and convenient way to ensure the right user is in control.
Could this protocol be layered upon the many APIs that would power a “smart car”? What are the options that the present and future could offer to the automotive industry to provide a more secure yet smart driving experience? We’re ready to help you solve for possibilities.
Connected vehicles present clear targets for hackers. Securing these systems might seem daunting given the volume and complexity of the software and the increasing demand for new features, but you don't have to figure it out alone.
With the right tools and strategies, you can block cyber criminals, secure vehicles for drivers, and set your company apart in a competitive field.
Auth0, the identity platform for application builders, provides thousands of enterprise customers with a Universal Identity Platform for their web, mobile, IoT, and internal applications. Its extensible platform seamlessly authenticates and secures more than 2.5B logins per month, making it loved by developers and trusted by global enterprises. The company's U.S. headquarters in Bellevue, WA, and additional offices in Buenos Aires, London, Tokyo, Sydney, and Singapore, support its customers that are located in 70+ countries.